August 2024

It’s a privilege to honour the contributions of my dear friend and mentor, Bill Taylor, a former Partner at Hanson Bridgett LLP, on his retirement. From 2012 to 2014, Bill was President of Globalaw, and for many years before and after, he was an active member of the Board of Directors and an Officer. His leadership, vision, and dedication helped shape Globalaw into the dynamic, global community we know today.

Beyond his formal roles, Bill gave generously of his time and energy. He spent countless hours building and supporting the network, genuinely caring for the people around him. He was never one to sit quietly in meetings; he was always eager to share insightful ideas and perspectives that advanced the discussion. When Bill spoke, people listened. He possessed that rare combination of wisdom and warmth that made his voice both respected and welcomed.

I believe I’m not alone in seeing Bill as a valuable mentor. He was often the first to reach out, whether to offer guidance during challenging times or to invite someone to dinner or a social event. His welcoming spirit left a lasting impression on me, and I know many others feel the same.

One unforgettable memory I share with Bill was during a Globalaw meeting in Tel Aviv, where we had the opportunity to meet Shimon Peres, the former Prime Minister of Israel. In true Bill fashion, he offered to buy a bottle of wine for Prime Minister Peres. Although the offer was politely declined, the Prime Minister approached our table and talked with us.

On that same trip, Bill and I visited Caesarea together. By the end of the ride, he had become best friends with our taxi driver. That’s just who Bill is—he has a gift for connecting with people, no matter where he is or who he’s with.

Bill’s family has also been a cherished part of the Globalaw community. His wife (Kim) has attended many meetings, and his daughter (Lily), of whom he is immensely proud, has been a familiar and welcome presence as well.

Although he may no longer hold an official position, Bill remains a good friend of Globalaw. His legacy lives on through the strength and spirit of our network, and he will always be welcomed at our meetings and events.

While obtaining informed and voluntary consent from data subjects, organisations should clearly state the reasons for collecting the data, how it will be handled, and how it will be used.

Being transparent with subjects about data collection and use is especially important as data creation has proliferated across social media, streaming, digital transactions, smart devices, logins and other identifying information on search browsers, and the rise of AI and metadata in files.

In practice, the manner in which informed and voluntary data subject consent is conducted may vary from jurisdiction to jurisdiction.

This article explores guidelines and best practices for informing data subjects and obtaining voluntary consent in countries within Globalaw’s APAC region, including Hong Kong, India, Japan, South Korea, and Taiwan.

Hong Kong

In Hong Kong, where the governing body is the Office of the Privacy Commissioner for Personal Data (PCPD), a data user must expressly inform the data subject of the purpose for which the data is to be used on or before collection of the data.

Provision of personal data pursuant to such information by the data subject shall be deemed sufficient consent, which is implied.

However, new consent from the data subject is required if such personal data shall be used for a new purpose. For example, changing policies to begin sharing data with a third-party partner for direct marketing.

For cross-border transfers, the Personal Data (Privacy) Ordinance stipulates, among other requirements, that the data subject must also provide written consent specifically; however, this requirement has not yet come into effect.

India

In India, where the governing body is the country’s Ministry of Electronics and Information Technology (MeitY), principal data subject consent should be free, specific, informed, unconditional and unambiguous.

Also, while seeking consent from data principals, a notice must be displayed informing them about: (i) the personal data and the purpose for which the same has been processed; (ii) the manner in which they may exercise their rights; and (iii) the manner in which the data principal may make a complaint to the board. These basic requirements also apply to consent for cross-border transfer of personal information.

Japan

In Japan, where the governing body is the country’s Personal Information Protection Commission, business operators must clearly outline the purpose of data collection and obtain specific consent for the cross-border transfer of personal information, with certain exceptions.

South Korea

In South Korea, where the governing body is the country’s Personal Information Protection Commission, informed and voluntary consent is essential for collecting and using personal data, unless a legal exception applies.

Additionally, consent for collection, third-party provision, and cross-border transfers must be obtained separately and clearly distinguished.

Since March 2023, amendments have expanded the grounds for data collection to include cases necessary for fulfilling contracts or implementing measures requested by data subjects during the contract formation process. The practical application of these changes continues to develop and adapt.

Taiwan

In Taiwan, where the Taiwanese government is in the process of forming the Personal Data Protection Commission, organisations must expressly inform data subjects when collecting personal data.

Organisations must detail the purposes of collection, types of data, usage scope (including duration, geography, territory, and methods), data subject rights, and consequences of non-disclosure, unless exempt by law. When collection involves planning for cross-border transfers, intended overseas jurisdictions should also be specified.

--

This article is part of a series by our Globalaw APAC Data Privacy & Protection Taskforce members.

Globalaw’s APAC Data Privacy & Protection Taskforce comprises 15 law firms in the Asia-Pacific region with specialized expertise in advising international companies on how to implement and manage a multijurisdictional data protection program.

Taskforce member firms combine a strategic, business-minded approach with cross-border collaboration to help clients build and maintain sophisticated and resilient data practices, effectively mitigate and respond to incidents, and provide sophisticated representation to resolve disputes or regulatory investigations.

Explore the Globalaw APAC Data Privacy & Protection Taskforce brochure for more information and regional contacts.

Disclaimer: The information provided in this article is for general informational purposes only and does not constitute legal advice. Information, including laws and statutes, cited are subject to change and is accurate as of 30 June 2025, but readers should verify such current status. We and our member firms shall not be held liable for any loss and/or damage incurred by any person acting as a result of the information contained in this article. Reliance on this content is at the reader’s own risk, and no attorney-client relationship is formed by reading or acting upon this article. Always seek professional legal counsel to ensure compliance with applicable laws and regulations.

A Data Protection Officer (DPO) ensures that an organisation’s data collection, processing and use complies with applicable data protection rules and regulations. DPOs are generally data protection experts with specialized knowledge and experience. They provide advice and guidance on best practices, compliance, policies and procedures, education and training, risk management and data breach response protocols.

The rapid pace of data creation, accelerated by content generated by AI, social media, streaming, digital transactions and smart technology, has increased government intervention in data governance and protection.

As such, certain jurisdictions require that companies appoint a DPO, while others strongly recommend it. This article explores the DPO requirements, qualifications and responsibilities in countries within Globalaw’s Asia Pacific region, including Hong Kong, India, Japan, South Korea, and Taiwan.

DPO Requirements by Jurisdiction

Appointing a DPO is a recommended practice rather than a requirement in both Hong Kong and Japan. By contrast, South Korea requires most companies to appoint a DPO, except those with fewer than 10 permanent employees.

In India, DPOs are required for significant data fiduciaries. While Taiwan does not require DPOs, certain industries mandate the designation of data protection personnel.

• Hong Kong: Recommended
• India: Required for significant data fiduciaries (to be notified by the government)
• Japan: Recommended
• South Korea: Required for companies with more than 0 permanent employees
• Taiwan: Required by certain industries to designate responsible personnel

Qualifications of a DPO

For Hong Kong, Japan, Taiwan, and South Korea, there are no mandatory certifications, licenses, or qualifications required before someone can be appointed as a company’s DPO.

While there are also no legal or technical qualification mandates for India, a DPO shall be (a) based in India, and (b) be an individual responsible to the Board of Directors or similar governing body of the significant data fiduciary.

Responsibilities of a DPO

The responsibilities of a DPO vary by jurisdiction and, in some cases, by industry and are authorized by the governing authority of that jurisdiction.

Hong Kong

Governing Body: The Office of the Privacy Commissioner for Personal Data (PCPD).

The PCPD provides the following recommendations:

• Establish and implement the Privacy Management Programme (PMP), such as maintaining a record of the organisation's data inventory, conducting periodic risk assessments, and providing training and education.
• Review the effectiveness of the PMP, including preparing an oversight and review plan.
• Report regularly to top management on the organization's compliance issues, problems encountered, and complaints received related to personnel.

India

Governing Body: Government of India, Ministry of Electronics and Information Technology (MeitY)

Under the Digital Personal Data Protection Act (DPDP), the DPO shall represent the significant data fiduciary under the provisions of the legislation and be the point of contact for the grievance redressal mechanism.

Japan

Governing Body: Personal Information Protection Commission

A DPO is not subject to any legally mandated responsibilities.

South Korea

Governing Body: The Personal Information Protection Commission

Under the Personal Information Protection Act (PIPA), the DPO handles personal information for business purposes to comply with the regulations. These responsibilities include:

• Overseeing the handling and protection of personal data,
• Establishing internal policies and safeguards,
• Responding to data subject requests (e.g., correction, deletion),
• Managing incident response for data breaches,
• Serving as the liaison with the Personal Information Protection Commission (PIPC),
• Conducting regular audits and training

Taiwan

Governing Body: The Taiwanese government is in the process of forming the Personal Data Protection Commission.

Only specific industries are required to designate responsible personnel, and sector-specific regulations govern their responsibilities.

--

This article is part of a series by our Globalaw APAC Data Privacy & Protection Taskforce members.

Globalaw’s APAC Data Privacy & Protection Taskforce comprises 15 law firms in the Asia-Pacific region with specialized expertise in advising international companies on how to implement and manage a multijurisdictional data protection program.

Taskforce member firms combine a strategic, business-minded approach with cross-border collaboration to help clients build and maintain sophisticated and resilient data practices, effectively mitigate and respond to incidents, and provide sophisticated representation to resolve disputes or regulatory investigations.

Explore the Globalaw APAC Data Privacy & Protection Taskforce brochure for more information and regional contacts.

Disclaimer: The information provided in this article is for general informational purposes only and does not constitute legal advice. Information, including laws and statutes, cited are subject to change and is accurate as of 30 June 2025, but readers should verify such current status. We and our member firms shall not be held liable for any loss and/or damage incurred by any person acting as a result of the information contained in this article. Reliance on this content is at the reader’s own risk, and no attorney-client relationship is formed by reading or acting upon this article. Always seek professional legal counsel to ensure compliance with applicable laws and regulations.

October 1, 2025 – Globalaw, a leading network of independent law firms, announces the launch of its APAC Data Privacy & Protection Taskforce, comprising 15 law firms in the Asia-Pacific region with specialised expertise in advising international companies on implementing and managing multijurisdictional data protection programmes.

“International companies face an ever-changing web of data privacy and protection laws," said Globalaw President Peter J. Brown. “Globalaw’s APAC Data Privacy & Protection Task Force provides seamless, cross-border expertise to help clients navigate these issues with clarity and confidence. Our member firms offer strategic advice and legal support to reduce risks, ensure compliance, and build long-term trust.”

Taskforce member firms combine a strategic, business-minded approach with cross-border collaboration to help clients build and maintain responsible and resilient data practices, effectively mitigate and respond to incidents, and provide sophisticated representation to resolve disputes or regulatory investigations. Whether addressing GDPR, CCPA, or emerging data protection frameworks across multiple jurisdictions, our network grants access to the following firms offering consistent, high-quality guidance in the Asia-Pacific region:

Australia: McInnes Wilson

China: GoldenGate Lawyers

Guam: Calvo Jacob & Pangelinan, LLP

Hong Kong: Oldham, Li & Nie

India: Abacus Legal Group

India: Ahlawat & Associates

Indonesia: Bagus Enrico & Partners

Japan: Chuo Sogo LPC

Korea: DLG Law Corporation

Malaysia: Abdullah Chan & Co

New Zealand: Simpson Western

Philippines: CDRP Law

Singapore: Goodwins Law Corporation

Taiwan: Stellex Law Firm

Thailand: Legal Advisory Council Limited

Globalaw introduced the Sports Law Taskforce earlier this year, which provides dedicated legal counsel and representation for athletes and stakeholders worldwide. Visit Globalaw Publications & Resources for more information.

About Globalaw

Globalaw is a Chambers Global-ranked Band 1 Leading Law Firm Network of approximately 80 independent law firms and 4,000 lawyers in over 60 countries. Our mission is to foster seamless legal collaboration among member firms and assist them in delivering high-quality, cost-effective solutions to their clients worldwide. We take pride in our commitment to excellence, global reach, and innovative approach to legal services. Visit www.globalaw.net to learn more.

Media Contact:

Jaime Luckey

marketing@globalaw.net